In the midst of the holidays season, cybercriminals are currently spamvertising tens of thousands of malicious “Flight Reservation Confirmations“, in an attempt to trick users into clicking on the link found in the fake emails. Once they click on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample compromised URLs used in the campaign:hxxp://minjust.isfb.ru/mail.htm; hxxp://wrigglepot.com/mail.htm

Surprisingly, upon successful client-side exploitation, the campaign returns an empty response, indicating that the cybercriminals behind the campaign have applied a low QA (Quality Assurance) to this particular campaign.

We’re also aware of more client-side exploits serving URLs that used to respond to these IPs in the past, for instance:hxxp://ganiopatia.ru:8080/forum/links/column.phphxxp://publicatorian.ru:8080/forum/links/public_version.phphxxp://dimarikanko.ru:8080/forum/links/column.phphxxp://podarunoki.ru:8080/forum/links/column.phphxxp://gurmanikia.ru:8080/forum/links/column.phphxxp://somaliaonfloor.ru:8080/forum/links/public_version.phphxxp://aliamognoa.ru:8080/forum/links/public_version.phphxxp://cinemaallon.ru:8080/forum/links/column.phphxxp://leberiasun.ru:8080/forum/links/column.phphxxp://dimarikanko.ru:8080/forum/links/column.phphxxp://delemiator.ru:8080/forum/links/column.phphxxp://ganalionomka.ru:8080/forum/links/public_version.php

Responding to these IPs (42.121.116.38 (AS37963); 202.180.221.186 (AS24496); 208.87.243.131 (AS40676) are also the following malicious domains:ganiopatia.rupelamutrika.rufrancese.rupodarunoki.ru publicatorian.rucinemaallon.rupitoniamason.ruleberiasun.ru